WO2004107650A1 - A system and method of network authentication, authorization and accounting - Google Patents

A system and method of network authentication, authorization and accounting Download PDF

Info

Publication number
WO2004107650A1
WO2004107650A1 PCT/CN2003/001162 CN0301162W WO2004107650A1 WO 2004107650 A1 WO2004107650 A1 WO 2004107650A1 CN 0301162 W CN0301162 W CN 0301162W WO 2004107650 A1 WO2004107650 A1 WO 2004107650A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
service
accounting
business
network
Prior art date
Application number
PCT/CN2003/001162
Other languages
French (fr)
Chinese (zh)
Inventor
Fuyou Miao
Original Assignee
Huawei Technologies Co., Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd filed Critical Huawei Technologies Co., Ltd
Priority to US10/558,751 priority Critical patent/US7653933B2/en
Priority to AU2003296236A priority patent/AU2003296236A1/en
Publication of WO2004107650A1 publication Critical patent/WO2004107650A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5003Managing SLA; Interaction between SLA and QoS
    • H04L41/5009Determining service level performance parameters or violations of service level contracts, e.g. violations of agreed response time or mean time between failures [MTBF]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5003Managing SLA; Interaction between SLA and QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/53Network services using third party service providers

Definitions

  • the present invention relates to network operation and management, and particularly to a network authentication, authorization, and accounting system and method.
  • authentication, authorization, and accounting have become the basis for its operation.
  • the use of various resources in the network requires authentication, authorization, and accounting. For management. among them:
  • Authentication is the confirmation of a user's identity when the user uses resources in the network system.
  • identity information such as username-password combination, biometrics, etc.
  • AAA server 3 the authentication server
  • the GSM mobile communication system is able to identify the logos and subscriber logos of network terminal equipment in its network.
  • a network system authorizes users to use their resources in a specific way. This process specifies the services and rights that an authenticated user can use after accessing the network, such as the IP address granted.
  • the legitimate users who have passed the authentication have the service authority (whether to open the international caller service, etc.) established by the user and the operator beforehand.
  • the network system collects and records the user's use of network resources in order to charge users for resource usage fees, or for auditing and other purposes.
  • Internet access service provider An ISP is taken as an example.
  • the user's network access usage can be accurately recorded by traffic or time.
  • AAA AAA
  • the network resource level is verified by the network access provider for users, accounting and authorization, and the network service level is provided by the service provider.
  • the first type is general data services, such as Web access, FTP (File Transfer Protocol), and e-mail. These services are provided free of charge by service providers (receiving revenue through advertising or organization). Internal use).
  • the accounting mode is basically based on traffic, duration, or a combination of the two.
  • User authentication is performed at the edge of the network through the network infrastructure provider.
  • the AAA facilities are completed without the problems of authentication, authorization and accounting for the business.
  • This type of service generally has low requirements for the quality of service (QoS) of the network.
  • the network can meet the requirements by forwarding data with the best effort transmission method.
  • the coupling degree of the service to the network is low.
  • the fee is sufficient.
  • the cost of providing the business can be reimbursed by collecting advertising costs, verifying the accounting at the place where the business is provided, or providing services to the organization.
  • the second type of services on the network are those that require quality of service (QoS) guarantees, such as IP Phone, NGN (Next Generation Network), video conferencing, Internet radio / TV, and VoD (Video on Demand). These services require the network to provide Different levels of QoS protection; otherwise, services cannot be developed normally. Because of the special requirements for network resources, the development of such services requires the cooperation of network access providers. At present, the basic mode of conducting such services on the Internet is to build Establish an independent network that only provides this type of service, and put the service and network access together, such as VoIP (Voice over IP).
  • VoIP Voice over IP
  • the AAA technology on the network basically uses the RADIUS protocol (Remote Dial-up User Access Protocol) as the back-end protocol (the protocol between Network Access Server (NAS) 2 and AAA Server 3), and the front-end protocol (User Equipment and AS Protocol) according to the access technology, such as the use of 802.1x in Ethernet and WLAN (Wireless Local Area Network).
  • the current AAA framework structure is shown in Figure 1:
  • the access server 1 that is, the NAS
  • the AAA server 3 After multiple interactions between the user equipment 1 and the AAA server 3, the AAA server 3 sends an instruction to allow a legitimate user to the access server 2. In this way, the authorized user equipment 1 can access the network 4.
  • the network itself cannot control the service itself, but can only control access.
  • the service access control is integrated with the access control.
  • the access server 1 is both an EP (enhanced point, a device that performs access control) for network access, and an EP for service access.
  • the types of services that can be carried out are limited, and if new second-type services need to be carried out on the network, the access server 2 and the AAA server 3 must be upgraded, as in the case of VoIP.
  • the service and network access provider are completely separated.
  • the service provider and the network access provider have their own AAA server 3 and facilities, respectively. User authentication, authorization, and accounting are separated.
  • the problem solved by the present invention is to provide a network authentication, authorization and accounting system and method, which avoids the limitation of the existing network equipment, and at the same time guarantees the amount of service shield and facilitates accounting.
  • the network authentication, authorization, and accounting system of the present invention includes: user equipment, and the user establishes a connection with the network through the user equipment;
  • the access server is connected to the user equipment and connects the user equipment to the network;
  • the AAA server is connected to the access server and completes user authentication, authorization, and accounting for accessing the network with the access server;
  • a business server which is connected to the access server, provides specific services, and interacts with the AAA server to authenticate and authorize information, and exchanges business services with user equipment;
  • the business accounting server is connected to the business server, completes the accounting of the user's business resources with the business server, and sends the accounting data to the AAA server.
  • the access server can sense the quality of service, and the AAA server integrates the access accounting data and business accounting data.
  • the business accounting server and the AAA server are one device; the business server is a series of devices that complete a business and stores the service resource usage status records of the business server; the user device can be a computer, a mobile phone, a telephone, or a personal digital assistant.
  • the network authentication, authorization and accounting method of the present invention includes the following steps: a network access request step, where a user logs in to a user equipment, and sends a network access request; b authentication and authorization steps, the AAA server and the access server according to user identity information After the user identity verification is completed, the corresponding user equipment is authorized or denied access to the network: c service access request step, the user equipment authorized to access the network sends a service access request to the service server, and the service access request includes the user identity information;
  • the business server queries the identification information stored in the AAA server through the business accounting server to confirm the user identity and corresponding business use rights. If the identification information matches the user identity information and corresponding business use rights, then The business server accepts the access request and authorizes the start of business interaction, otherwise the business service is rejected; e Business accounting step, the business server sends the user's business resource usage status record to the business accounting server, and the business accounting server Business Resource Usage Status) Brother records to get accounting data;
  • the AAA server obtains the business accounting data and integrates it with the access accounting data. Compared with the prior art, the present invention has the following advantages:
  • the present invention separates the service server and the access server, which enables various service categories to be added on the network as needed, but does not require upgrading existing equipment on the network, which facilitates the development and deployment of services on the network;
  • one identity verification can access various services on the network, and can be unified accounting, convenient for users to use the network and services; 4. It facilitates the network access provider's ability to control network services and provides accounting channels for QoS.
  • Figure 1 Schematic diagram of the existing network authentication, authorization and accounting system.
  • FIG. 1 is a schematic diagram of a network authentication, authorization and accounting system according to the present invention.
  • FIG. 3 is a flowchart of a network authentication, authorization and accounting method according to the present invention.
  • FIG. 4 is a specific flowchart of FIG. 3.
  • FIG. 5 is a flowchart of adding services in the network authentication, authorization and accounting method of the present invention. detailed description
  • the network authentication, authorization and accounting system includes: user equipment 1, the user establishes a connection with the network through the user equipment, the user equipment 1 may be a computer, a mobile phone, a telephone, a PDA (personal digital assistant), etc. Equipment, the user equipment 1 may be connected to the network 4 by wireless or wired means / technology, such as GPRS (General Genwin Wireless System), ADSL (Asymmetric Data Subscriber Line), dial-up Internet access, WLAN, etc .;
  • GPRS General Genwin Wireless System
  • ADSL Asymmetric Data Subscriber Line
  • dial-up Internet access WLAN, etc .
  • the access server 2 is connected to the user equipment 1 and is a gateway capable of providing network access services for the user equipment 1 through wireless or wired means / technology, such as GPRS, ADSL, dial-up Internet access, WLAN, etc.
  • the access server 2 does not You need to be aware of the business, but be able to be aware of QoS (quality of service). Whether the access server can sense the amount of service shield is a network characteristic, and the existing technology can be provided in various ways, which is not described repeatedly;
  • the AAA server 3 is connected to the access server 2 and completes, together with the access server 2, the user certificate, authorization, and accounting for accessing the network 4, and the access of the network 4;
  • the service server 5 is a server that specifically provides services. It may also be a series of devices that collectively complete a service. It is connected to the access server 2 and can interact with the AAA server 3 for authentication and authorization information. It also exchanges business services with the user device 1.
  • the service server 5 stores a service resource usage status record;
  • the business accounting server 6 is connected to the business server 5 and completes the accounting of the user's business resource together with the business server 5. At the same time, the accounting data is sent to the AAA server 3 in a regular / real-time manner, and the AAA server 3 is integrated The accounting data and the business accounting data are accessed.
  • the business accounting server 6 and the AAA server 3 may be one device.
  • identity information In business access control, users must first present identity information, which may be in the form of PKC / AC (Public Key Certificate / Attribute Certificate), token, credential (Identity Certificate), etc.
  • the AAA server 3 has been confirmed / verified at the time of entry.
  • the service server 5 queries the AAA server 3 through the service accounting server 6 to confirm the user identity and authorization information, and access and authorize the use of the user's service.
  • the network authentication, authorization and accounting method of the present invention includes the following steps: a network access request step 30, the user logs in to user equipment 1, and sends a network access request;
  • Step 31 of authentication and authorization The AAA server 3 and the access server 2 complete user authentication based on the user identity information.
  • the corresponding user equipment 1 is authorized or denied access to the network 4:
  • the access server 2 After receiving the access request, the access server 2 sends an authentication request to the AAA server 3. After the AAA server 3 verifies the identity of the user, it sends an authentication response to the access server 1. After receiving the authentication response, the access server 2 sends an access response to the user device 1. In response, the user equipment 1 is authorized or denied access to the network.
  • c Service access request step 32 When a user uses a service on the Internet, the user equipment 1 authorized to access the network sends a service access request to the service server 5 of the service, and the service access request includes user identity information. ;
  • Service confirmation and authorization step 33 The service server 5 queries the identification information stored in the AAA server 3 through the service accounting server 6 to confirm the user identity and corresponding service usage rights. If the identification information and user identity information and corresponding service use rights If they match, the service server 5 accepts the access request and authorizes the start of business interaction, otherwise it rejects the business service.
  • the service accounting server 6 can independently determine the service use right, but the user identity verification is still completed by the AAA server 3 finally.
  • the service confirmation and authorization steps may also include a service use request / verification, that is, to determine the specific authority of the user to use the service according to the status of the service resources and the identity of the user.
  • a service use request / verification that is, to determine the specific authority of the user to use the service according to the status of the service resources and the identity of the user.
  • business accounting step 34 during the business interaction process or business interaction completed business server 5 sends the user's business resource usage status record to the business accounting server 6, the business accounting server 6 (with commonly used accounting software i.e. Yes) Calculate business expenses based on business resource usage status records, and get accounting data;
  • the AAA server obtains business accounting data 35 and integrates access and business accounting data.
  • the business accounting server 6 sends the accounting data to the AAA server 3 periodically or event-driven, or the AAA server 3 queries the business accounting server 6 periodically or event-driven to obtain the accounting data.
  • the network access provider as the only interface to the user, negotiates business / network use and charging matters with the user, and can negotiate with the service provider on the use of accounting data and the way the cost is allocated.
  • the accounting data passed by the business accounting server 6 to the AAA server 3 has a service type code. This accounting data should also include Service provider name / number, service resource usage, etc.
  • a service provider adds a service when a new service is added.
  • Step 50 According to the new service, the service provider constructs a service server 5 and a service accounting server 6 to provide business services. The service provider negotiates with the network access provider to determine the method of collecting accounting data and the method of dividing service revenue;
  • Step 51 Determine whether the service is the default service; if it is not the default service, the user applies to the service provider Business use, and store data (including user identification information and usage rights, user identity is the account assigned to the user by the network access provider) in the service accounting server 6, if it is the default service, it is provided to all users business;
  • Step 52 performing steps 30-35, the user uses the identity information (such as account number and password) for network access to access the network and uses the service (that is, the same ID is used for access and service access)
  • the same process (a-c) is also used, and the identity information (such as account number, password, etc.) used for access is also used to use the service (that is, multiple services use the same ID).
  • identity information such as account number, password, etc.
  • a single authentication can access various services on the network, and can be unified accounting, which facilitates users to use the network and services.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A system and method of network authentication, authorization and accounting, wherein the system comprises, a subscriber device, the subscriber establishes a connection with network through the subscriber device; an access server, it connects to the subscriber device, and makes the subscriber device connected to the network; an AAA server, it connects to the access server, and implements the subscriber authentication, authorization and accounting of accessing network together with the access server ; a service server , it connects to the access server, and provides specific services , and exchanges authentication and authorization information with the AAA server , exchanges service with the subscriber device ; a service accounting server , it connects to the service server , implements accounting of usage of subscriber service resource together with the service server , and at the same time, transmits the accounting data to the AAA server . And also, the present invention discloses a method of network authentication, authorization and accounting. The present invention only utilizes one subscriber log-on information (accounts/password), through the invention, the subscriber can access to various services of the network by authenticating the subscriber's identity only once, and it can account all together.

Description

网络认证、 授权和计帐系统及方法 技术领域  Network authentication, authorization and accounting system and method
本发明涉及网络运营和管理, 尤其是网络认证、授权和计帐系统 及方法。  The present invention relates to network operation and management, and particularly to a network authentication, authorization, and accounting system and method.
背景技术 Background technique
自网络诞生以来,认证( Authent ication ),授权( Authorizat ion ) 以及计帐(Account ing )体制 (AAA )就成为其运营的基础, 网络中 各类资源的使用, 需要由认证、 授权和计帐进行管理。 其中:  Since the birth of the network, authentication, authorization, and accounting (AAA) systems have become the basis for its operation. The use of various resources in the network requires authentication, authorization, and accounting. For management. among them:
认证, 用户在使用网络系统中的资源时对用户身份的确认。 这一 过程, 通过与用户的交互获得身份信息(诸如用户名 -口令組合、 生 物特征获得等) , 然后提交给认证服务器 (AAA服务器 3); 后者对身 份信息与存储在数据库里的用户信息进行核对处理 ,然后根据处理结 果确认用户身份是否正确。 例如, GSM移动通信系统能够识别其网络 内网络终端设备的标志和用户标志。  Authentication is the confirmation of a user's identity when the user uses resources in the network system. In this process, identity information (such as username-password combination, biometrics, etc.) is obtained through interaction with the user, and then submitted to the authentication server (AAA server 3); the latter checks the identity information and user information stored in the database Check the processing, and then confirm whether the user identity is correct according to the processing result. For example, the GSM mobile communication system is able to identify the logos and subscriber logos of network terminal equipment in its network.
授权, 网络系统授权用户以特定的方式使用其资源, 这一过程指 定了被认证的用户在接入网絡后能够使用的业务和拥有的权限,如授 予的 IP地址等。仍以 GSM移动通信系统为例, 认证通过的合法用户, 其业务权限(是否开通国际电话主叫业务等)则是用户和运营商在事 前已经协议确立的。  Authorization. A network system authorizes users to use their resources in a specific way. This process specifies the services and rights that an authenticated user can use after accessing the network, such as the IP address granted. Taking the GSM mobile communication system as an example, the legitimate users who have passed the authentication have the service authority (whether to open the international caller service, etc.) established by the user and the operator beforehand.
计帐, 网絡系统收集、 记录用户对网络资源的使用, 以便向用户 收取资源使用费用, 或者用于审计等目的。 以互联网接入业务供应商 ISP为例, 用户的网络接入使用情况可以按流量或者时间被准确记录 下来。 Accounting, the network system collects and records the user's use of network resources in order to charge users for resource usage fees, or for auditing and other purposes. Internet access service provider An ISP is taken as an example. The user's network access usage can be accurately recorded by traffic or time.
一个网络用户要能够正常使用网络上提供的业务,需要拥有对网 络资源 (即网络^出设施)和网络服务两类资源的访问能力。 因此, 就存在两个层面的 AAA问题,网络资源层面由网络接入提供商验证用 户、 计帐和授权, 网络业务层次由业务供应商提供。  In order for a network user to be able to use the services provided on the network normally, he needs to have access to network resources (that is, network access facilities) and network services. Therefore, there are two levels of AAA. The network resource level is verified by the network access provider for users, accounting and authorization, and the network service level is provided by the service provider.
当前的网络上存在两类业务, 第一类是普通数据业务, 如 Web访 问、 FTP (文件传输协议)和电子邮件等, 这类业务由业务提供商免 费提供(通过广告来获得收益或者是组织内使用), 相应地, 对于网 络接入提供者来说, 计帐模式基本上是按照流量、 时长或者二者结合 的方式, 用户身份验证是在网络的边缘通过网络基础设施提供者的 There are two types of services on the current network. The first type is general data services, such as Web access, FTP (File Transfer Protocol), and e-mail. These services are provided free of charge by service providers (receiving revenue through advertising or organization). Internal use). Correspondingly, for network access providers, the accounting mode is basically based on traffic, duration, or a combination of the two. User authentication is performed at the edge of the network through the network infrastructure provider.
AAA设施完成, 同时不存在针对业务的身份验证、 授权和计帐问题。 这类业务一般对网络的服务质量(QoS )要求比较低, 网络采用尽最 大努力传送的方式转发数据就能够满足要求,业务同网络的耦合度较 低, 网络基础设施供应商通过向用户收取接入费即可。对于业务提供 商, 可以通过收取广告费用、在业务提供场所验证计帐或为本组织提 供服务来补偿业务提供所需要的成本。 The AAA facilities are completed without the problems of authentication, authorization and accounting for the business. This type of service generally has low requirements for the quality of service (QoS) of the network. The network can meet the requirements by forwarding data with the best effort transmission method. The coupling degree of the service to the network is low. The fee is sufficient. For service providers, the cost of providing the business can be reimbursed by collecting advertising costs, verifying the accounting at the place where the business is provided, or providing services to the organization.
网络上的第二类业务是需要服务质量(QoS )保证的业务, 如 IP Phone, NGN (下一代网络)、 视频会议、 网上广播 /电视和 VoD (视频 点播)等, 这类业务要求网络提供不同等级的 QoS保护, 否则业务便 不能正常开展。 因为对网络资源的特殊要求, 所以开展这类业务需要 网络接入提供商的配合。 目前网络上开展这类业务的基本模式是, 建 立一个独立的网络, 该网絡只提供这类业务, 并且将业务和网络的接 入放到一起, 如 VoIP ( IP承载语音)。 The second type of services on the network are those that require quality of service (QoS) guarantees, such as IP Phone, NGN (Next Generation Network), video conferencing, Internet radio / TV, and VoD (Video on Demand). These services require the network to provide Different levels of QoS protection; otherwise, services cannot be developed normally. Because of the special requirements for network resources, the development of such services requires the cooperation of network access providers. At present, the basic mode of conducting such services on the Internet is to build Establish an independent network that only provides this type of service, and put the service and network access together, such as VoIP (Voice over IP).
目前网络上的 AAA技术基本上采用 RADIUS协议 (远程拨号用户接 入协议)作为后端协议 (网络接入服务器( NAS ) 2和 AAA服务器 3之 间的协议), 而前端协议 (用户设备和 AS间的协议 )根据接入技术 采用相应的技术, 如在以太网和 WLAN (无线局域网)中使用 802. lx。 其中, 目前的 AAA框架结构如图 1所示: 接入服务器 1 (即 NAS )收 到来自用户设备 1的连接请求时, 会将请求信息封装成 AAA服务器 3 支持的协议消息,发送给 AAA服务器 3。再经过多次用户设备 1到 AAA 服务器 3之间的交互, AAA服务器 3将允许合法用户接入的指示发送 给接入服务器 2。 这样, 被授权的用户设备 1就可以访问网络 4了。  At present, the AAA technology on the network basically uses the RADIUS protocol (Remote Dial-up User Access Protocol) as the back-end protocol (the protocol between Network Access Server (NAS) 2 and AAA Server 3), and the front-end protocol (User Equipment and AS Protocol) according to the access technology, such as the use of 802.1x in Ethernet and WLAN (Wireless Local Area Network). The current AAA framework structure is shown in Figure 1: When the access server 1 (that is, the NAS) receives a connection request from the user equipment 1, it encapsulates the request information into a protocol message supported by the AAA server 3 and sends it to the AAA server. 3. After multiple interactions between the user equipment 1 and the AAA server 3, the AAA server 3 sends an instruction to allow a legitimate user to the access server 2. In this way, the authorized user equipment 1 can access the network 4.
上面的方案中, 对于第一类业务, 网络本身不能对业务本身进行 控制, 只能控制接入。对于笫二类业务的业务访问控制同接入控制是 合一的, 接入服务器 1既是网络接入的 EP (增强点, 执行接入控制 的设备),也是业务接入的 EP,因此网络上能够开展的业务种类有限, 并且如果需要在网络上开展新的第二类业务,就必须升级接入服务器 2和 AAA服务器 3, 如 VoIP的情况。  In the above solution, for the first type of service, the network itself cannot control the service itself, but can only control access. For type II services, the service access control is integrated with the access control. The access server 1 is both an EP (enhanced point, a device that performs access control) for network access, and an EP for service access. The types of services that can be carried out are limited, and if new second-type services need to be carried out on the network, the access server 2 and the AAA server 3 must be upgraded, as in the case of VoIP.
另外一种可能的方案是业务和网络的接入完全分开,业务提供商 和网络接入提供商分别有自己的 AAA服务器 3和设施,用户身份验证、 授权和计帐是分开的。  Another possible solution is that the service and network access are completely separated. The service provider and the network access provider have their own AAA server 3 and facilities, respectively. User authentication, authorization, and accounting are separated.
因为网络和业务完全分离, QoS的保证存在一定的困难。 另外用 户需要维护多套身份信息, 网络上也存在多个 AAA设施, 使用的方便 性受到损害。 尤其是网络接入提供商和业务提供商不是一个单位, 结 算就更不方便了。 Because the network and services are completely separated, there are certain difficulties in guaranteeing QoS. In addition, users need to maintain multiple sets of identity information. There are also multiple AAA facilities on the network, which is convenient to use. Sexual damage. In particular, the network access provider and the service provider are not a unit, and the settlement is even more inconvenient.
发明内容 Summary of the Invention
本发明解决的问题是提供一种网络认证、 授权和计帐系统及方 法, 避免已有网络设备的限制, 同时保证服务盾量、 方便计帐。  The problem solved by the present invention is to provide a network authentication, authorization and accounting system and method, which avoids the limitation of the existing network equipment, and at the same time guarantees the amount of service shield and facilitates accounting.
为解决上述问题, 本发明网络认证、 授权和计帐系统, 包括: 用户设备, 用户通过用户设备与网络建立连接;  To solve the above problems, the network authentication, authorization, and accounting system of the present invention includes: user equipment, and the user establishes a connection with the network through the user equipment;
接入服务器, 与用户设备相连接, 并将用户设备接入网络; AAA服务器, 与接入服务器连接, 同接入服务器一起完成访问网 络的用户验证、 授权和计帐;  The access server is connected to the user equipment and connects the user equipment to the network; the AAA server is connected to the access server and completes user authentication, authorization, and accounting for accessing the network with the access server;
业务服务器, 与接入服务器连接, 提供具体业务, 并与 AAA服务 器交互验证和授权信息, 与用户设备交互业务服务;  A business server, which is connected to the access server, provides specific services, and interacts with the AAA server to authenticate and authorize information, and exchanges business services with user equipment;
业务计帐服务器, 与业务服务器连接, 同业务服务器一起完成用 户业务资源使用的计帐, 同时将计帐数据发送给 AAA服务器。  The business accounting server is connected to the business server, completes the accounting of the user's business resources with the business server, and sends the accounting data to the AAA server.
其中,接入服务器能感知服务质量, 而 AAA服务器综合接入计帐 数据和业务计帐数据。  Among them, the access server can sense the quality of service, and the AAA server integrates the access accounting data and business accounting data.
此外, 业务计帐服务器和 AAA服务器是一个设备; 业务服务器是 完成一种业务的一系列设备并存储业务服务器存储业务资源使用状 况记录; 用户设备可以是计算机、 手机、 电话、 个人数字助理。  In addition, the business accounting server and the AAA server are one device; the business server is a series of devices that complete a business and stores the service resource usage status records of the business server; the user device can be a computer, a mobile phone, a telephone, or a personal digital assistant.
相应地, 本发明网络认证、 授权和计帐方法包括以下步骤 a 网络接入请求步驟, 用户登录用户设备, 发送网络接入请求; b 验证、 授权步骤, AAA服务器同接入服务器根据用户身份信息 完成用户身份验证, 相应用户设备被授权或被拒绝接入网络: c 业务接入请求步骤, 被授权接入网络的用户设备向业务服务器 发出业务接入请求, 该业务接入请求包含有用户身份信息; Correspondingly, the network authentication, authorization and accounting method of the present invention includes the following steps: a network access request step, where a user logs in to a user equipment, and sends a network access request; b authentication and authorization steps, the AAA server and the access server according to user identity information After the user identity verification is completed, the corresponding user equipment is authorized or denied access to the network: c service access request step, the user equipment authorized to access the network sends a service access request to the service server, and the service access request includes the user identity information;
d 业务确认、授权步骤,业务服务器通过业务计帐服务器查询 AAA 服务器所存储的识别信息, 确认用户身份和相应的业务使用权限, 如 果识别信息与用户身份信息及相应的业务使用权限相匹配, 则业务服 务器接受接入请求并授权开始业务交互, 否则则拒绝该项业务服务; e 业务计帐步骤, 业务服务器将该用户的业务资源使用状况记录 送给业务计帐服务器,该业务计帐服务器根据业务资源使用状)兄记录 得出计帐数据;  d Business confirmation and authorization steps. The business server queries the identification information stored in the AAA server through the business accounting server to confirm the user identity and corresponding business use rights. If the identification information matches the user identity information and corresponding business use rights, then The business server accepts the access request and authorizes the start of business interaction, otherwise the business service is rejected; e Business accounting step, the business server sends the user's business resource usage status record to the business accounting server, and the business accounting server Business Resource Usage Status) Brother records to get accounting data;
f AAA服务器获得业务计帐数据, 并与接入计帐数据综合。 与现有技术相比, 本发明具有以下优点:  f The AAA server obtains the business accounting data and integrates it with the access accounting data. Compared with the prior art, the present invention has the following advantages:
1.本发明将业务服务器和接入服务器分离, 能够让网络上根据需 要增加各种业务类别, 但是不需要对网络上已经存在的设备进行升 级, 方便了网絡上业务的开发和部署;  1. The present invention separates the service server and the access server, which enables various service categories to be added on the network as needed, but does not require upgrading existing equipment on the network, which facilitates the development and deployment of services on the network;
2.增加业务计帐服务器, 对网络资源的使用和业务资源的使用在 计帐上区分开对待, 并且通过在 AAA服务器和业务计帐服务器之间提 供数据通道, 将计帐结果数据综合起来考虑;  2. Increase the business accounting server. Use of network resources and business resources are treated separately in accounting, and by providing a data channel between the AAA server and the business accounting server, the accounting result data is considered together. ;
3.只使用一个用户登陆信息 (帐号 /密码), 一次身份验证就可以 访问网给上的各种业务, 并且能够统一计帐, 方便了用户使用网络和 业务; 4.方便了网络接入提供者对网络业务的控制能力, 提供了针对 QoS的计帐渠道。 3. Using only one user's login information (account / password), one identity verification can access various services on the network, and can be unified accounting, convenient for users to use the network and services; 4. It facilitates the network access provider's ability to control network services and provides accounting channels for QoS.
附图说明 BRIEF DESCRIPTION OF THE DRAWINGS
图 1现有网络认证、 授权和计帐系统示意图。  Figure 1 Schematic diagram of the existing network authentication, authorization and accounting system.
图 1本发明网络认证、 授权和计帐系统示意图。  FIG. 1 is a schematic diagram of a network authentication, authorization and accounting system according to the present invention.
图 3本发明网络认证、 授权和计帐方法流程图。  FIG. 3 is a flowchart of a network authentication, authorization and accounting method according to the present invention.
图 4是图 3的具体流程图。  FIG. 4 is a specific flowchart of FIG. 3.
图 5本发明网络认证、 授权和计帐方法中增加业务流程图。 具体实施方式  FIG. 5 is a flowchart of adding services in the network authentication, authorization and accounting method of the present invention. detailed description
请参照图 2所示, 本网络认证、 授权和计帐系统包括: 用户设备 1 , 用户通过用户设备与网络建立连接, 该用户设备 1 可以是计算机、 手机、 电话、 PDA (个人数字助理)等设备, 该用户 设备 1可以通过无线、 有线的方式 /技术连接到网络 4中来, 如 GPRS (通用 艮文无线系统)、 ADSL (非对称数据用户线)、 拨号上网、 WLAN 等;  Please refer to FIG. 2, the network authentication, authorization and accounting system includes: user equipment 1, the user establishes a connection with the network through the user equipment, the user equipment 1 may be a computer, a mobile phone, a telephone, a PDA (personal digital assistant), etc. Equipment, the user equipment 1 may be connected to the network 4 by wireless or wired means / technology, such as GPRS (General Genwin Wireless System), ADSL (Asymmetric Data Subscriber Line), dial-up Internet access, WLAN, etc .;
接入服务器 2 , 与用户设备 1相连接, 能够通过无线、 有线的方 式 /技术为用户设备 1提供网络接入服务的网关, 如 GPRS、 ADSL, 拨 号上网、 WLAN等, 该接入服务器 2不需要感知业务, 但是要能够感 知 QoS (服务质量)。 接入服务器是否能够感知服务盾量为网络特性, 现有技术可以通过各种方式提供, 不再赘述;  The access server 2 is connected to the user equipment 1 and is a gateway capable of providing network access services for the user equipment 1 through wireless or wired means / technology, such as GPRS, ADSL, dial-up Internet access, WLAN, etc. The access server 2 does not You need to be aware of the business, but be able to be aware of QoS (quality of service). Whether the access server can sense the amount of service shield is a network characteristic, and the existing technology can be provided in various ways, which is not described repeatedly;
AAA服务器 3 , 与接入服务器 2连接, 同接入服务器 2—起完成 访问网络 4的用户 r证、 授权和计帐, 及网络 4的接入; 业务服务器 5, 具体提供业务的服务器, 也可能是共同完成一种 业务的一系列设备, 与接入服务器 2连接, 并可以与 AAA服务器 3交 互验证和授权信息, 与用户设备 1交互业务服务, 此外, 业务服务器 5存储业务资源使用状况记录; The AAA server 3 is connected to the access server 2 and completes, together with the access server 2, the user certificate, authorization, and accounting for accessing the network 4, and the access of the network 4; The service server 5 is a server that specifically provides services. It may also be a series of devices that collectively complete a service. It is connected to the access server 2 and can interact with the AAA server 3 for authentication and authorization information. It also exchanges business services with the user device 1. In addition, the service server 5 stores a service resource usage status record;
业务计帐服务器 6 , 与业务服务器 5连接, 且同业务服务器 5— 起完成用户业务资源使用的计帐, 同时采用定期 /实时等方式将计帐 数据发送给 AAA服务器 3 , 且 AAA服务器 3综合接入计帐数据和业务 计帐数据,此外,业务计帐服务器 6和 AAA服务器 3可以是一个设备。  The business accounting server 6 is connected to the business server 5 and completes the accounting of the user's business resource together with the business server 5. At the same time, the accounting data is sent to the AAA server 3 in a regular / real-time manner, and the AAA server 3 is integrated The accounting data and the business accounting data are accessed. In addition, the business accounting server 6 and the AAA server 3 may be one device.
在上面的系统中, 用户申请网络接入及相关业务服务时, 需要先 登记注册,用户从用户设备 1界面输入为登录信息(如:名称、帐号、 密码等),而网络 4根据用户登记注册给予用户一个合法访问的身份。 网络 4对用户身份的验证,基于用户的身份信息与网络存储的识别信 息相比较是否匹配来验证,其中用户身份信息包括登录信息及其属性 附加信息 (如身份 ID、 计算机、 位置、 访问权限等)。 在本系统中, 网络接入的验证和计帐同现有的 AAA机制和过程相同。  In the above system, when users apply for network access and related business services, they need to register first. The user enters login information (such as name, account number, password, etc.) from the user device 1 interface, and network 4 registers according to the user registration. Give users a legitimate access identity. Network 4 verifies user identity based on whether the user's identity information matches the identification information stored on the network to verify whether the user identity information includes login information and additional information about its attributes (such as identity ID, computer, location, access rights, etc. ). In this system, the authentication and accounting of network access are the same as the existing AAA mechanism and process.
在业务接入控制中, 用户首先要出示身份信息, 该身份信息可能 是以 PKC/AC (公开密钥证书 /属性证书)、令牌、委任状(Credent ia l ) 等形式, 并且在网络接入时已经得到 AAA服务器 3的确认 /验证, 业 务服务器 5通过业务计帐服务器 6查询 AAA服务器 3来确认用户身份 和授权信息, 并接入和授权给用户业务的使用。  In business access control, users must first present identity information, which may be in the form of PKC / AC (Public Key Certificate / Attribute Certificate), token, credential (Identity Certificate), etc. The AAA server 3 has been confirmed / verified at the time of entry. The service server 5 queries the AAA server 3 through the service accounting server 6 to confirm the user identity and authorization information, and access and authorize the use of the user's service.
请结合参照图 3、 4所示, 本发明网络认证、 授权和计帐方法包 括以下步骤: a 网络接入请求步骤 30, 用户登录用户设备 1 , 发送网络接入请 求; Referring to FIG. 3 and FIG. 4, the network authentication, authorization and accounting method of the present invention includes the following steps: a network access request step 30, the user logs in to user equipment 1, and sends a network access request;
b 验证、 授权步骤 31 , AAA服务器 3同接入服务器 2根据用户身 份信息一起完成用户身份验证,相应用户设备 1被授权或被拒绝接入 网络 4:  b. Step 31 of authentication and authorization. The AAA server 3 and the access server 2 complete user authentication based on the user identity information. The corresponding user equipment 1 is authorized or denied access to the network 4:
接入服务器 2收到接入请求, 向 AAA服务器 3发送验证请求; AAA服务器 3验证用户身份后, 向接入服务器 1发送验证反应; 接入服务器 2收到验证反应后向用户设备 1发送接入反应,用户 设备 1被授权或被拒绝接入网络。  After receiving the access request, the access server 2 sends an authentication request to the AAA server 3. After the AAA server 3 verifies the identity of the user, it sends an authentication response to the access server 1. After receiving the authentication response, the access server 2 sends an access response to the user device 1. In response, the user equipment 1 is authorized or denied access to the network.
c 业务接入请求步驟 32,用户使用网上的某项业务时,被授权接 入网络的用户设备 1向该项业务的业务服务器 5发出业务接入请求, 该业务接入请求包含有用户身份信息;  c Service access request step 32. When a user uses a service on the Internet, the user equipment 1 authorized to access the network sends a service access request to the service server 5 of the service, and the service access request includes user identity information. ;
d 业务确认、 授权步骤 33, 业务服务器 5通过业务计帐服务器 6 查询 AAA服务器 3所存储的识别信息,确认用户身份和相应的业务使 用权限, 如果识别信息与用户身份信息及相应的业务使用权限相匹 配, 则业务服务器 5接受接入请求并授权开始业务交互, 否则则拒绝 该项业务服务。  d. Service confirmation and authorization step 33. The service server 5 queries the identification information stored in the AAA server 3 through the service accounting server 6 to confirm the user identity and corresponding service usage rights. If the identification information and user identity information and corresponding service use rights If they match, the service server 5 accepts the access request and authorizes the start of business interaction, otherwise it rejects the business service.
其中, 业务计帐服务器 6可以独立确定业务使用权限, 但是用户 身份验证仍旧由 AAA服务器 3最终完成。  Among them, the service accounting server 6 can independently determine the service use right, but the user identity verification is still completed by the AAA server 3 finally.
业务确认、 授权步骤中除了业务接入请求 /验证外, 还可以包括 业务使用请求 /验证, 即根据业务资源状况和该用户的身份, 确定该 用户使用该业务的具体权限。 e 业务计帐步骤 34,在业务交互过程中或业务交互完成业务服务 器 5将该用户的业务资源使用状况记录送给业务计帐服务器 6 , 该业 务计帐服务器 6 (具有常用的计帐软件即可)根据业务资源使用状况 记录计算业务费用, 得出计帐数据; In addition to the service access request / verification, the service confirmation and authorization steps may also include a service use request / verification, that is, to determine the specific authority of the user to use the service according to the status of the service resources and the identity of the user. e business accounting step 34, during the business interaction process or business interaction completed business server 5 sends the user's business resource usage status record to the business accounting server 6, the business accounting server 6 (with commonly used accounting software i.e. Yes) Calculate business expenses based on business resource usage status records, and get accounting data;
f AAA服务器获得业务计帐数据 35 ,并综合接入和业务计帐数据。 业务计帐服务器 6定期或事件驱动地将计帐数据发给 AAA服务器 3, 或者 AAA服务器 3定期或事件驱动地查询业务计帐服务器 6来获得计 帐数据。  f The AAA server obtains business accounting data 35 and integrates access and business accounting data. The business accounting server 6 sends the accounting data to the AAA server 3 periodically or event-driven, or the AAA server 3 queries the business accounting server 6 periodically or event-driven to obtain the accounting data.
网络接入提供商作为对用户的唯一接口同用户协商业务 /网络使 用和收费事宜,并和业务提供商可以协商计帐数据的使用以及费用分 配方式。 当业务提供商不同时, 由 AAA服务器 3和业务计帐服务器之 间的协议来确定,业务计帐服务器 6传递给 AAA服务器 3的计帐数据 有业务类型编码 ,这个计帐数据中也应该包括业务提供商名称 /编号、 业务资源使用状况等。  The network access provider, as the only interface to the user, negotiates business / network use and charging matters with the user, and can negotiate with the service provider on the use of accounting data and the way the cost is allocated. When the service providers are different, it is determined by the agreement between the AAA server 3 and the business accounting server. The accounting data passed by the business accounting server 6 to the AAA server 3 has a service type code. This accounting data should also include Service provider name / number, service resource usage, etc.
请参照图 5所示, 业务提供商要增加新业务时增加业务的流程 a 步骤 50, 业务提供商根据新业务, 建设业务服务器 5和业务 计帐服务器 6 , 提供业务服务, 其中关于计帐, 业务提供商同网络接 入提供商谈判确定计帐数据的收集方式和业务收益的分割方式; b 步骤 51, 判断该业务是否为缺省业务, 若不是缺省业务, 则 用户向业务提供商申请业务使用, 并将数据 (包括用户身份识别信息 和使用权限, 用户身份就是网络接入提供商分配给用户的帐号)存储 在业务计帐服务器 6,若是缺省业务,对于对所有用户都提供该业务; c 步骤 52 , 执行步骤 30-35, 用户使用用于网络接入的身份信 息(如帐号、 密码等)接入网络, 并使用该业务(也就是接入和业务 访问使用同一个 ID ) Referring to FIG. 5, a service provider adds a service when a new service is added. Step 50: According to the new service, the service provider constructs a service server 5 and a service accounting server 6 to provide business services. The service provider negotiates with the network access provider to determine the method of collecting accounting data and the method of dividing service revenue; b Step 51: Determine whether the service is the default service; if it is not the default service, the user applies to the service provider Business use, and store data (including user identification information and usage rights, user identity is the account assigned to the user by the network access provider) in the service accounting server 6, if it is the default service, it is provided to all users business; c Step 52, performing steps 30-35, the user uses the identity information (such as account number and password) for network access to access the network and uses the service (that is, the same ID is used for access and service access)
如果再增加其他业务, 也使用同样的过程(a- c ), 并且也使用用 于接入的身份信息(如帐号、 密码等)来使用业务(也就是多种业务 使用同一个 ID )。 这样, 只使用一个用户登陆信息(帐号 /密码), 一 次身份验证就可以访问网络上的各种业务, 并且能够统一计帐, 方便 了用户使用网络和业务。  If other services are added, the same process (a-c) is also used, and the identity information (such as account number, password, etc.) used for access is also used to use the service (that is, multiple services use the same ID). In this way, using only one user's login information (account / password), a single authentication can access various services on the network, and can be unified accounting, which facilitates users to use the network and services.

Claims

权 利 要 求 Rights request
1. 一种网络认证、 授权和计帐系统, 包括:  1. A network authentication, authorization and accounting system, comprising:
用户设备, 用户通过用户设备与网络建立连接;  User equipment, where the user establishes a connection with the network through the user equipment;
接入服务器, 与用户设备相连接, 并将用户设备接入网络; AAA服务器, 与接入服务器连接, 同接入服务器一起完成访问网 络的用户^ r证、 授权和计帐;  The access server is connected to the user equipment and connects the user equipment to the network; the AAA server is connected to the access server and completes user authentication, authorization, and accounting for accessing the network with the access server;
其特征在于, 该系统还包括: 业务服务器, 与接入服务器连接, 提供具体业务, 并与 AAA服务 器交互验证和授权信息, 与用户设备交互业务服务;  It is characterized in that the system further comprises: a service server, connected to the access server, providing specific services, and interacting with the AAA server for authentication and authorization information, and exchanging business services with user equipment;
业务计帐服务器, 与业务服务器连接, 同业务服务器一起完成用 户业务资源使用的计帐, 同时将计帐数据发送给 AAA服务器;  The business accounting server is connected to the business server, completes the accounting of the user's business resource usage with the business server, and sends the accounting data to the AAA server;
其中, 接入服务器能感知服务质量, 而 AAA服务器综合接入计帐 数据和业务计帐数据。  Among them, the access server can sense the quality of service, and the AAA server integrates access to accounting data and business accounting data.
2. 如权利要求 1 所述的网络认证、 授权和计帐系统, 其特征在 于, 业务服务器存储业务资源使用状况记录。  2. The network authentication, authorization and accounting system according to claim 1, characterized in that the service server stores a service resource usage status record.
3. 如权利要求 1 所述的网络认证、 授权和计帐系统, 其特征在 于, 业务计帐服务器和 AAA服务器是一个设备。  3. The network authentication, authorization and accounting system according to claim 1, wherein the service accounting server and the AAA server are one device.
4. 如权利要求 1 所述的网络认证、 授权和计帐系统, 其特征在 于, 业务服务器是完成一种业务的一系列设备。  4. The network authentication, authorization, and accounting system according to claim 1, wherein the service server is a series of devices that complete a service.
5. —种基于权利要求 1所述系统的网络认证、授权和计帐方法, 其特征在于, 该方法包括以下步驟: 5. A network authentication, authorization and accounting method based on the system of claim 1, It is characterized in that the method includes the following steps:
a 网络接入请求步骤, 用户登录用户设备, 发送网络接入请求; b 验证、授权步驟, AAA服务器同接入服务器根据用户身份信息 完成用户身份验证, 相应用户设备被授权或被拒绝接入网络:  a network access request step, the user logs in to the user device, and sends a network access request; b authentication and authorization steps, the AAA server and the access server complete the user identity verification based on the user identity information, and the corresponding user device is authorized or denied access to the network :
c 业务接入请求步骤, 被授权接入网络的用户设备向业务服务 器发出业务接入请求, 该业务接入请求包含有用户身份信息;  c service access request step, the user equipment authorized to access the network sends a service access request to the service server, and the service access request includes user identity information;
d 业务确认、 授权步骤, 业务服务器通过业务计帐服务器查询 AAA服务器所存储的识别信息,确认用户身份和相应的业务使用权限, 如果识别信息与用户身份信息及相应的业务使用权限相匹配,则业务 服务器接受接入请求并授权开始业务交互, 否则则拒绝该项业务服 务;  d. In the service confirmation and authorization step, the business server queries the identification information stored in the AAA server through the business accounting server to confirm the user identity and the corresponding service use authority. If the identification information matches the user identity information and the corresponding service use authority, The business server accepts the access request and authorizes the start of business interaction, otherwise it rejects the business service;
e 业务计帐步骤, 业务服务器将该用户的业务资源使用状况记 录送给业务计帐服务器,该业务计帐服务器根据业务资源使用状况记 录得出计帐数据;  e business accounting step, the business server records the user's business resource usage status to the business accounting server, and the business accounting server obtains the accounting data according to the business resource usage status record;
f AAA服务器获得业务计帐数据, 并与接入计帐数据综合。 f The AAA server obtains the business accounting data and integrates it with the access accounting data.
6. 如权利要求 5 所述的网络认证、 授权和计帐方法, 其特征在 于, 步骤 b进一步包括如下步驟: 6. The network authentication, authorization and accounting method according to claim 5, wherein step b further comprises the following steps:
接入服务器收到接入请求, 向 AAA服务器发送验证请求;  The access server receives the access request and sends an authentication request to the AAA server;
AAA服务器验证用户身份后, 向接入服务器发送验证反应; 接入服务器收到验证反应后向用户设备发送接入反应,用户设备 被授权或被拒绝接入网络。 After the AAA server verifies the identity of the user, it sends a verification response to the access server. After the access server receives the verification response, it sends an access response to the user device. Authorized or denied access to the network.
7. 如权利要求 5 所述的网络认证、 授权和计帐方法, 其特征在 于, 步骤 d中还包括业务使用请求 /验证, 根据业务资源状况和该用 户的身份, 确定该用户使用该业务的具体权限。  7. The network authentication, authorization, and accounting method according to claim 5, wherein step d further comprises a service use request / verification, and determines the user's use of the service according to the status of the service resources and the identity of the user. Specific permissions.
8. 如权利要求 5 所述的网络认证、 授权和计帐方法, 其特征在 于,步驟 f 中业务计帐服务器定期或事件驱动地将业务计帐数据发给 AAA服务器。  8. The network authentication, authorization and accounting method according to claim 5, characterized in that the business accounting server in step f sends the business accounting data to the AAA server periodically or event-driven.
9. 如权利要求 5 所述的网絡认证、 授权和计帐方法, 其特征在 于, 步骤 f 中, AAA服务器定期或事件驱动地查询业务计帐服务器来 获得业务计帐数据。  9. The network authentication, authorization and accounting method according to claim 5, characterized in that, in step f, the AAA server queries the business accounting server periodically or event-driven to obtain business accounting data.
10.如权利要求 5所述的网络认证、 授权和计帐方法, 其特征在 于, 该方法增加新业务时包括如下步骤:  The network authentication, authorization, and accounting method according to claim 5, wherein the method includes the following steps when adding a new service:
业务提供商根据新业务建设业务服务器和业务计帐服务器,提供 业务服务;  Service providers build business servers and business accounting servers based on new services to provide business services;
判断该业务是否为缺省业务, 若是缺省业务, 则对所有用户都提 供该业务, 若不是缺省业务, 则用户向业务提供商申请业务使用, 并 将用户身份识别信息和使用权限存储在业务计帐服务器;  Determine whether the service is the default service. If it is the default service, it is provided to all users. If it is not the default service, the user applies for service use from the service provider and stores user identification information and use rights in Business accounting server
执行步骤 a- f , 用'户使用用于网络接入的身份信息接入网络, 并 使用该业务接入网絡, 并使用该业务。  Steps a-f are performed, and the user uses the identity information for network access to access the network, uses the service to access the network, and uses the service.
11.如权利要求 5- 10任一项所述的网络认证、 授权和计帐方法, 其特征在于, 用户的身份信息包括登录信息和属性附加信息, 且身份 信息是以公开密钥证书 /属性证书、 令牌、 委任状形式出示。  The network authentication, authorization and accounting method according to any one of claims 5 to 10, wherein the user's identity information includes login information and attribute additional information, and the identity information is a public key certificate / attribute Presentation in the form of certificates, tokens, power of attorney.
PCT/CN2003/001162 2003-06-02 2003-12-31 A system and method of network authentication, authorization and accounting WO2004107650A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US10/558,751 US7653933B2 (en) 2003-06-02 2003-12-31 System and method of network authentication, authorization and accounting
AU2003296236A AU2003296236A1 (en) 2003-06-02 2003-12-31 A system and method of network authentication, authorization and accounting

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN03137267.8 2003-06-02
CNB031372678A CN100337229C (en) 2003-06-02 2003-06-02 Network verifying, authorizing and accounting system and method

Publications (1)

Publication Number Publication Date
WO2004107650A1 true WO2004107650A1 (en) 2004-12-09

Family

ID=33480391

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2003/001162 WO2004107650A1 (en) 2003-06-02 2003-12-31 A system and method of network authentication, authorization and accounting

Country Status (4)

Country Link
US (1) US7653933B2 (en)
CN (1) CN100337229C (en)
AU (1) AU2003296236A1 (en)
WO (1) WO2004107650A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8494520B2 (en) 2007-07-20 2013-07-23 Bridgewater Systems Corp. Systems and methods for providing centralized subscriber session state information

Families Citing this family (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100583759C (en) 2004-12-13 2010-01-20 华为技术有限公司 Method for realizing synchronous identification between different identification control equipments
CN100372327C (en) * 2005-01-11 2008-02-27 华为技术有限公司 Service cell based network access system and method
DE102006012655B4 (en) * 2006-01-10 2008-12-24 Siemens Ag A method of providing quality of service in a WiMAX communication network and method of selecting an access transport resource control function by a policy decision function in a communication network
CN101064616A (en) * 2006-04-28 2007-10-31 华为技术有限公司 Network charging method, system and equipment
US9521210B2 (en) * 2006-10-06 2016-12-13 At&T Intellectual Property I, L.P. Methods and apparatus to install voice over internet protocol (VoIP) devices
US9219757B2 (en) * 2006-12-28 2015-12-22 Cable Television Laboratories, Inc. Message correlation
JP5023804B2 (en) * 2007-05-16 2012-09-12 コニカミノルタホールディングス株式会社 Authentication method and authentication system
DE102007046079A1 (en) * 2007-09-26 2009-04-02 Siemens Ag A method for establishing a secure connection from a service technician to an incident affected component of a remote diagnosable and / or remote controllable automation environment
US8380169B2 (en) * 2007-10-12 2013-02-19 Qualcomm Incorporated System and method for enabling transaction of femto cell information from a host terminal device to a guest terminal device
CN101426202B (en) * 2007-11-02 2012-04-18 华为技术有限公司 Method, device and system for network switching implementation
US9218469B2 (en) * 2008-04-25 2015-12-22 Hewlett Packard Enterprise Development Lp System and method for installing authentication credentials on a network device
WO2009132280A1 (en) * 2008-04-25 2009-10-29 Zte Corporation Carrier-grade peer-to-peer (p2p) network, system and method
CN101370304B (en) * 2008-09-19 2012-12-19 中兴通讯股份有限公司 Authentication implementing method and device
CN101841528A (en) * 2010-03-05 2010-09-22 中国电信股份有限公司 Service multi-terminal presentation method of uniform roaming authorization in IMS (Information Management System) environment as well as system thereof
US8520680B1 (en) 2010-03-26 2013-08-27 Juniper Networks, Inc. Address learning in a layer two bridging network
WO2011141066A1 (en) * 2010-05-12 2011-11-17 Modeva Interactive A method of authenticating subscription to a mobile content service
US8619788B1 (en) * 2010-06-14 2013-12-31 Juniper Networks, Inc. Performing scalable L2 wholesale services in computer networks
US8555332B2 (en) 2010-08-20 2013-10-08 At&T Intellectual Property I, L.P. System for establishing communications with a mobile device server
US8504449B2 (en) 2010-10-01 2013-08-06 At&T Intellectual Property I, L.P. Apparatus and method for managing software applications of a mobile device server
US8989055B2 (en) 2011-07-17 2015-03-24 At&T Intellectual Property I, L.P. Processing messages with a device server operating in a telephone
US8516039B2 (en) * 2010-10-01 2013-08-20 At&T Intellectual Property I, L.P. Apparatus and method for managing mobile device servers
US9392316B2 (en) 2010-10-28 2016-07-12 At&T Intellectual Property I, L.P. Messaging abstraction in a mobile device server
US20120123884A1 (en) * 2010-11-16 2012-05-17 Harinder Pal Singh Bhasin Store management via remote point of sale data management system
US9066123B2 (en) 2010-11-30 2015-06-23 At&T Intellectual Property I, L.P. System for monetizing resources accessible to a mobile device server
CN102186214B (en) * 2011-05-27 2014-02-05 中国电信股份有限公司 Method, system and control equipment for applying QoS (quality of service) service
CN102185728B (en) * 2011-06-10 2013-12-25 上海志新信息科技有限公司 Communication system and method with unified management platform
CN102905258B (en) * 2011-07-27 2018-03-13 中兴通讯股份有限公司 Own service authentication method and system
US8675664B1 (en) 2011-08-03 2014-03-18 Juniper Networks, Inc. Performing scalable L2 wholesale services in computer networks using customer VLAN-based forwarding and filtering
EP3039894B1 (en) * 2013-08-30 2018-10-03 Hewlett-Packard Enterprise Development LP Zeroconf profile transferring to enable fast roaming
CN103647985B (en) * 2013-10-18 2017-05-03 陆忠强 Digital television integrated signaling-data stream broadcasting system
CN103634119B (en) * 2013-12-13 2017-02-15 北京星网锐捷网络技术有限公司 Authentication method, application client, application server and authentication server
CN105812319B (en) * 2014-12-29 2019-07-05 新华三技术有限公司 Storage medium loading method and device
CN105933333A (en) * 2016-06-20 2016-09-07 锐捷网络股份有限公司 Authentication charging method and export gateway of enterprise network
CN106209912A (en) * 2016-08-30 2016-12-07 迈普通信技术股份有限公司 Access authorization methods, device and system
EP4373033A2 (en) * 2017-12-28 2024-05-22 Paxgrid CDN Inc. Server for authenticating and authorizing access to and accounting for wireless access vehicular environment consumption by client devices
DE102018204181B4 (en) * 2018-03-19 2023-01-12 Volkswagen Aktiengesellschaft Method for providing Internet access for a customer of a service provider and a computer program therefor
CN108366177B (en) * 2018-04-25 2023-10-03 沈康 Charging service system
US11431698B2 (en) * 2018-10-31 2022-08-30 NBA Properties, Inc. Partner integration network
CN111352740B (en) * 2018-12-21 2023-04-18 腾讯科技(深圳)有限公司 Application interaction processing method and device
US10412588B1 (en) * 2019-01-11 2019-09-10 Cisco Technology, Inc. Unified data repository proxy
CN110287710A (en) * 2019-06-03 2019-09-27 深圳市琦迹技术服务有限公司 Method for managing security and its relevant device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6311275B1 (en) * 1998-08-03 2001-10-30 Cisco Technology, Inc. Method for providing single step log-on access to a differentiated computer network
EP1191763A2 (en) * 2000-09-22 2002-03-27 Roke Manor Research Limited Access authentication system for a wireless environment
CN1458770A (en) * 2002-05-16 2003-11-26 华为技术有限公司 Method for AAA server control access device on Internet protocol network

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6385653B1 (en) * 1998-11-02 2002-05-07 Cisco Technology, Inc. Responding to network access requests using a transparent media access and uniform delivery of service
US6917617B2 (en) * 1998-12-16 2005-07-12 Cisco Technology, Inc. Use of precedence bits for quality of service
US7293096B1 (en) * 2001-09-28 2007-11-06 Cisco Technology, Inc. Maintaining a common AAA session id for a call over a network
DE60203099T2 (en) * 2002-06-04 2006-05-04 Alcatel A method, a network access server, an authentication, authorization, and accounting server, a computer program with proxy capability for user authentication, authorization, and billing messages through a network access server
CN1152333C (en) * 2002-07-31 2004-06-02 华为技术有限公司 Method for realizing portal authentication based on protocols of authentication, charging and authorization
CN100437550C (en) * 2002-09-24 2008-11-26 武汉邮电科学研究院 Ethernet confirming access method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6311275B1 (en) * 1998-08-03 2001-10-30 Cisco Technology, Inc. Method for providing single step log-on access to a differentiated computer network
EP1191763A2 (en) * 2000-09-22 2002-03-27 Roke Manor Research Limited Access authentication system for a wireless environment
CN1458770A (en) * 2002-05-16 2003-11-26 华为技术有限公司 Method for AAA server control access device on Internet protocol network

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8494520B2 (en) 2007-07-20 2013-07-23 Bridgewater Systems Corp. Systems and methods for providing centralized subscriber session state information

Also Published As

Publication number Publication date
CN1553368A (en) 2004-12-08
AU2003296236A1 (en) 2005-01-21
CN100337229C (en) 2007-09-12
US7653933B2 (en) 2010-01-26
US20080235770A1 (en) 2008-09-25

Similar Documents

Publication Publication Date Title
WO2004107650A1 (en) A system and method of network authentication, authorization and accounting
JP4291213B2 (en) Authentication method, authentication system, authentication proxy server, network access authentication server, program, and recording medium
US7735126B2 (en) Certificate based authentication authorization accounting scheme for loose coupling interworking
JP5084086B2 (en) System and method for providing dynamic network authorization, authentication and account
CN1152333C (en) Method for realizing portal authentication based on protocols of authentication, charging and authorization
JP4728258B2 (en) Method and system for managing access authentication for a user in a local management domain when the user connects to an IP network
US7448075B2 (en) Method and a system for authenticating a user at a network access while the user is making a connection to the Internet
JP4892008B2 (en) Certificate authentication method, certificate issuing device, and authentication device
US20070199049A1 (en) Broadband network security and authorization method, system and architecture
JP5604176B2 (en) Authentication cooperation apparatus and program thereof, device authentication apparatus and program thereof, and authentication cooperation system
US7340525B1 (en) Method and apparatus for single sign-on in a wireless environment
WO2005096644A1 (en) A method for establishing security association between the roaming subscriber and the server of the visited network
JP2003520502A (en) Terminals and repositories in communication systems
US8621582B2 (en) Authentication system
JP2005525734A (en) Paid access to local area network
JP2009500734A (en) Centralized access permission method and system for online streaming content
US20090198996A1 (en) System and method for providing cellular access points
US20040010713A1 (en) EAP telecommunication protocol extension
WO2007124694A1 (en) Network charging method, system and device
WO2013023475A1 (en) Method for sharing user data in network and identity providing server
WO2011063658A1 (en) Method and system for unified security authentication
RU2253187C2 (en) System and method for local provision of meeting specified regulations for internet service providers
WO2012151933A1 (en) Owned service authentication method and system
CN101656963B (en) Method and system for managing network identities
CN102055772A (en) Method and system for authenticating subscriber

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 10558751

Country of ref document: US

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP